case sensitivity, "Match User" and "AllowUsers"

Corinna Vinschen vinschen at redhat.com
Mon Mar 1 04:40:53 EST 2010


On Mar  1 04:33, Damien Miller wrote:
> On Sun, 28 Feb 2010, Corinna Vinschen wrote:
> 
> > Yes, that's better.  There are just a few glitches.  The test for
> > pw == NULL should come first and the #if should be an #ifdef.  And
> > I think it wouldn't hurt to have a comment which explains why this is
> > done.  What about this?
> 
> I prefer this - the test needs to be before the (pw == NULL) test
> so the usual processing for invalid users fires - I don't want
> to change the flow of the authentication code more than strictly
> necessary. 
> 
> Index: auth.c
> ===================================================================
> RCS file: /var/cvs/openssh/auth.c,v
> retrieving revision 1.136
> diff -u -r1.136 auth.c
> --- auth.c	11 Feb 2010 22:25:29 -0000	1.136
> +++ auth.c	28 Feb 2010 17:30:15 -0000
> @@ -535,6 +535,19 @@
>  	    get_canonical_hostname(options.use_dns), get_remote_ipaddr());
>  
>  	pw = getpwnam(user);
> +#ifdef HAVE_CYGWIN
> +	/*
> +	 * Windows usernames are case-insensitive.  To avoid later problems
> +	 * when trying to match the username, the user is only allowed to
> +	 * login if the username is given in the same case as stored in the
> +	 * user database.
> +	 */
> +	if (pw != NULL && strcmp(user, pw->pw_name) != 0) {
> +		logit("Login name %.100s does not match stored username %.100s",
> +		    user, pw->pw_name);
> +		pw = NULL;
> +	}
> +#endif
>  	if (pw == NULL) {
>  		logit("Invalid user %.100s from %.100s",
>  		    user, get_remote_ipaddr());

That's fine, thank you!


Corinna

-- 
Corinna Vinschen
Cygwin Project Co-Leader
Red Hat


More information about the openssh-unix-dev mailing list